2V0-642

Question 1

What are the five basic steps for installing NSX?

Answer 1

1. Deploy NSX Manager
2. Register NSX Manager with vCenter
3. Deploy NSX Controllers
4. Prepare Hosts
5. Deploy and configure NSX Edge Gateway(s) and configure network services

Question 2

How does the host preparation process work?

Answer 2

Several VMware Installation Bundles (VIBs) are installed to enable VXLAN, distributed routing/firewall, and a user world agent (netcpa) for control plane communications.

Question 3

How does NSX Manager ensure security of control plane communications?

Answer 3

It creates and installs self-signed certificates over a secure channel for the nodes of the controller cluster and for the ESXi hosts. Mutual authentication of NSX entities occurs, encrypting control plane communications with SSL.

Question 4

What happens when NSX Manager fails?

Answer 4

This only impacts management plane traffic. Data plane traffic will continue to flow seamlessly.

Question 5

What is slicing?

Answer 5

Slicing is a mechanism used on the NSX Controller cluster nodes to distribute workloads, which allows for all nodes to be active at one time. Each node will be master for different roles and virtual networks.

Question 6

What is the master role responsible for on a NSX Controller node?

Answer 6

Allocating slices to nodes, determining when a node has failed, reallocating slices to other nodes. Also informs ESXi hosts about a node failure so the hosts can update their internal node ownership mapping.

Question 7

What is the primary reason for deploying a controller cluster with an odd number of nodes?

Answer 7

The election of the master for each role requires a majority vote of all active and inactive nodes.

Question 8

What happens when majority number is lost on the controller cluster (i.e. one host remains)?

Answer 8

The last node will revert to read-only mode. The existing configuration will continue to work, but no new modifications are allowed until the majority number is re-established.

Question 9

What is the recommended placement for controller nodes in the virtual environment?

Answer 9

Three separate ESXi hosts. Create a vSphere Anti-Affinity rule to keep the nodes separated.

Question 10

What are some of the benefits to using an overlay technology like VXLAN?

Answer 10

VXLAN decouples the virtual network from the physical network. Below are some of the challenges that can be overcome with overlay technologies.

1. Agile/Rapid Application Deployment: Provisioning the physical network to support new requirements has a large overhead, often taking days (sometimes weeks) to complete the rollout. Virtual networks can be created and provisioned in minutes.
2. Workload Mobility: Virtual workloads move around from host to host. Traditional DC design would involve VLAN extension to the entire DC. This creates large overhead, potential for STP nightmares in the form of outages and lower throughput, and scalability issues.

Large Scale Multi-Tenancy: Cloud providers need more than 4094 VLANs that the traditional network provides. VXLAN uses a 24-bit identifier, VXLAN Network Identifier (VNI), which allows for a far greater number of network ID’s compared to 802.1Q’s 16-bit field.

Question 11

How does NSX VXLAN implementation differ from the RFC 7348?

Answer 11

NSX uses UDP 8472 for VXLAN. The RFC IANA assigned port is UDP 4789.

Question 12

What is the minimum recommended MTU for the physical network to support VXLAN?

Answer 12

1600

Question 13

What is the difference between user space and kernel space on an ESXi host?

Answer 13

User space consists of software components that provide the control plane communication path to the NSX Manager and controller nodes.

Kernel space consists of the actual kernel modules from the VIBs that control routing, switching, and firewalling.

Question 14

What are the two main processes used for plan communications on ESXi hosts?

Answer 14

vShield Firewall Daemon (vsfwd) and netcpa (User World Agent)

Question 15

What is the purpose of vsfwd (RabbitMQ Client)?

Answer 15

A RMQ message bus is leveraged for communication between vsfwd on the host and the RMQ server process hosted on NSX Manager.

The bus is used by NSX Manager to send various information to the hosts, including policy rules that need to be programmed on the DFW kernel module, private keys and host certificates for authentication, controller node IP addresses, and requests to create/delete DLR instances.

Question 16

What is the purpose of netcpa (User World Agent)?

Answer 16

Establishes TCP over SSL comm channels to the controller cluster nodes. The nodes leverage this channel with the ESXi hypervisors to populate local tables (MAC, ARP, VTEP) and to keep track of where the workloads are connected in the logical networks.

Question 17

What format is NSX Edge deployed as? VM or kernel module?

Answer 17

VM Appliance.

Question 18

What modes of operation does NSX Edge support?

Answer 18

Active-standby and Equal Cost Multi Pathing.

Question 19

What services does NSX Edge Active-Standby mode support?

Answer 19

All Edge services are available in this mode.

Question 20

What services does NSX Edge ECMP mode support?

Answer 20

Only the routing services. Stateful services are not supported as ECMP inherent asymmetric routing.

Question 21

What services does NSX Edge support?

Answer 21

Routing, SNAT/DNAT, Firewall, Load Balancing, L2/L3 VPN, DHCP and DHCP relay, DNS relay, IPAM.

Question 22

What is a Transport Zone?

Answer 22

A collection of ESXi hosts/clusters that can communicate with each other across the physical network. Also defines the span of logical switches.

Question 23

What services does the NSX DFW provide?

Answer 23

L2-L4 stateful firewall services.

Question 24

How are DFW policy rules written?

Answer 24

L2 rules (Ethernet) or L3/L4 rules.

Question 25

What rule type takes precedence in the DFW?

Answer 25

L2 rules are always enforced before L3/L4 rules. If traffic is blocked via an L2 rule, none of the L3/L4 will be permitted.

Question 26

Where does the NSX DFW operate?

Answer 26

Kernel-space at the VM vNIC level. The policies will always be enforced on the VM irrespective of topology.

Question 27

Which VIB contains the DFW function?

Answer 27

VMware Internetworking Service Insertion Platform (VSIP)

Question 28

What process on the ESXi hosts is used as a communication path between ESXi and vCenter?

Answer 28

The vpxa process. This is only used for vSphere purposes, including VM creation, storage modification, and NSX Manager IP address distribution.

Question 29

What purpose does SpoofGuard serve?

Answer 29

Protects against IP spoofing by maintaining a reference table of VM name and IP address.

Question 30

What is BUM traffic?

Answer 30

Broadcast, Unknown Unicast, Multicast.

Question 31

What are the three replication modes supported by NSX?

Answer 31

Multicast, Unicast, and Hybrid.

Question 32

What needs to be configured on the physical network when using multicast replication mode (BUM traffic)?

Answer 32

IGMP Snooping and PIM (L3 Multicast Routing).

Question 33

What are the downsides to using multicast replication mode for BUM traffic?

Answer 33

As L2/L3 Multicasting needs to be configured on the physical network, the virtual network is no longer decoupled from the physical network, completely negating all of the benefits of NSX’s type of SDN.

You also add IT management overhead as you need to manage the VXLAN to multicast group mappings.

Question 34

What are the options when designing VXLAN to multicast group mappings in the multicast BUM replication mode?

Answer 34

First option is a 1:1 mapping, which allows a very granular approach. This also greatly increases the amount of multicast state information that has to be stored in the physical network devices. Understanding the maximum number of groups per device is paramount.

Second option is to assign a single multicast group to all VXLAN segments. This approach dramatically reduces the volume of multicast state information that needs to be retained, but will also increase resource utilization on the ESXi hosts as they will be processing unnecessary traffic.

Question 35

How does Unicast Mode for BUM traffic replication work?

Answer 35

This mode is the complete opposite of Multicast Mode in that full decoupling of the physical and logical networks is achieved.

ESXi hosts are divided in separate groups (VTEP segments) depending on the subnet of the VTEP interfaces. One host from each segment is chosen to be the Unicast Tunnel End Point (UTEP), which is responsible for replicating multi-destination traffic received from remote VTEP segments to its local segment. UTEPs are selected locally to each ESXi host. This helps distribute replication duties to multiple VTEPs.

Question 36

How does Unicast Mode for BUM traffic optimize replication behavior?

Answer 36

Every UTEP will only replicate traffic to ESXi hosts on a local segment that have at least one VM actively connected to the logical network where multi-destination traffic is destined.

In the same way, traffic will only be sent by the source ESXi to the remote UTEPs if there is at least one active VM connected to an ESXi host in that remote segment.

Question 37

How does a remote UTEP know it needs to replicate BUM traffic to its local segment?

Answer 37

The “REPLICATE_LOCALLY” bit is set in the VXLAN header.

Question 38

How does Hybrid Mode for BUM traffic replication work?

Answer 38

Hybrid mode offers operational simplicity similar to Unicast Mode – IP multicast
routing configuration is not required in the physical network – while leveraging
the L2 multicast capability of physical switches.

IGMP Snooping as well as IGMP querier definitions per VLAN need to be implemented on the physical switches.

VTEPs responsible for local segment traffic replication are called Multicast Tunnel Endpoints (MTEP) in this mode.

Question 39

How are the NSX Controller VTEP, MAC, and ARP tables populated?

Answer 39

When the first VM connects to a VXLAN segment on an ESXi host, a control plane message is generated and sent to the controller node responsible for the specific logical network slice. The control plane message contains the VNI and VTEP IP for the segment, and the locally connected MAC and IP addresses for the VMs on that segment.

The controller node then populates its respective tables. A copy of the VTEP IPs per segment is sent out to all VTEPs.

Question 40

How do the ESXi hosts learn the IP address of the VM’s?

Answer 40

For VMs obtaining their IP address via DHCP, the host will snoop the response sent by the DHCP server. For VMs that are statically addressed, ARP requests originated by the VMs will be used to learn their IP addresses.

Question 41

How does the NSX Controller perform ARP suppression for virtual to virtual unicast traffic?

Answer 41

Using its tables, the controller will respond to ARP requests with the appropriate information. When a VM generates an ARP request, the ESXi hosts intercepts the message and generates a control plane request to the controller asking for the MAC/IP mapping information.

If the controller has the required information in its ARP table, it will send an ARP report to the ESXi host with the MAC/IP mapping. The host will then update its local ARP table with the information contained in the report. The host will then generate an ARP reply on behalf of the destination VM and deliver it to the source VM. This process is invisible to the VMs.

Question 42

What happens if the NSX Controller does not have the requested IP/MAC mapping for an ARP request?

Answer 42

The controller will notify the requesting ESXi host, and the host will flood the ARP frame in the local VXLAN segment.

Question 43

What are some reasons for needing NSX L2 bridging?

Answer 43

Deployment of Multi-Tier Applications: Web, application, and database tiers can be deployed as part of the same IP subnet. Web and application tiers are typically leverage virtual workloads, while the database tier commonly deploys bare-metal servers. As a consequence, it may be required to establish intra-subnet/intra-L2 domain communication between the application and the database tiers.

Physical to Virtual (P-to-V) Migration: During an ongoing migration project, virtualization of applications previously running on bare metal servers is required to support the mix of virtual and physical nodes on the same IP subnet.

Leveraging External Physical Devices as Default Gateway: A physical network device may be deployed to function as a default gateway for the virtual workloads connected to a logical switch. In this case an L2 gateway function is required to establish connectivity to that gateway.

Deployment of physical appliances: These devices could include common physical appliances that have not yet or will not be virtualized (e.g., firewalls, load balancers, etc.).

Question 44

Where is the bridging instance located?

Answer 44

On the host where the active DLR Control VM resides. If the ESXi host fails, the ESXi host with the standby control VM will be activated and restart the bridging instance.

Question 45

How are VLAN to VXLAN mappings performed in a bridging instance?

Answer 45

The mappings are performed in a 1:1 fashion.

Question 46

How can you improve VXLAN to VLAN bridging scalibility?

Answer 46

Through configuration, it is possible to create multiple bridges for different VXLAN-VLAN pairs and ensure they are spread across separate ESXi hosts.

Question 47

Where is the NSX L2 bridging data path located?

Answer 47

Entirely in kernel space rather than user space. The control VM is only used to determine on which ESXi host where a given bridge instance is active; not to perform the actual bridging function.

Question 48

What are the two types of logical routing present in NSX?

Answer 48

Centralized (on-ramp/off-ramp) and distributed. The former is mainly used for connections between the external and logical networks and is optimized for North-South traffic. The latter is optimized for East-West traffic as the routing is performed in the hypervisor of each ESXi host, instead of being pinned to the NSX Edge instance.